The Internet of things (IoT) is being driven by domestic use as well as business projects, with the average American household already running 11 connected devices. The roll-out of 5G will drastically boost that already high figure, with “an explosion of connected devices in the home, and in your car and on your body”, according to a study by Deloitte.

These numbers confirm that companies must become IoT players because that is the way the entire world is evolving. It’s easy to see the benefits and exciting possibilities, yet it’s also easy to overlook the new threats that come each time an additional device accesses your network, participants heard during a recent TechCentral C-suite discussion sponsored by Palo Alto Networks and Obscure Technologies.

“There’s no doubt that IoT is going to open the door for innovation, but from the threat aspect, it doesn’t matter whether you are in oil and gas, power, security, or banking — the vulnerability of IoT being unencrypted and vulnerable is the same for everyone,” said Trevor Coetzee, the SADC regional director for Palo Alto Networks.

Ideally, security must be addressed when an IoT project is in its infancy, if not before. Advocate Lufuno Khorommbi, MD of cyberlaw at Orizur, said cybersecurity was unfortunately still treated as an addition rather than a core requirement, both from the technical and the legal side. The recent introduction of the Protection of Personal Information Act has seen everyone running around trying to become compliant, but there is a widespread lack of appropriate governance, she said. “Very few companies are actually doing awareness and education. There’s too much ignorance in terms of the legal side of things, and around cybersecurity governance in general.”

Cash distribution company SBV has approached it from the right angle, believes its chief security officer Ian Keller. “I sit with the C-suite and represent security at the board, and security is part and parcel of what my company does. It’s front of mind the entire time — nothing happens without security. When we bring in a new product that’s connected to the Internet, it comes past our team to make sure it’s secure and it’s looked after,” he said. “But I have to add the caveat that it has been a very long and hard slog to change the mindset from pure physical security to cybersecurity.”

For a service provider like Vox, the biggest challenge was knowing what a customer’s crown jewels were in terms of what needed to be protected. “The IoT has a big impact on security and on regulations, and to overcome the challenges, organisations need to know what is out there, what it’s connected to, and what their information assets are,” said Niel van Rooyen, Vox’s head of information security.

Gathering all that information was a large task, and an equally big problem was not having security built-in from the ground up but trying to bolt it on afterwards.

How companies can best handle security around IoT devices can depend on their size as well as their business sector. Absa has a full Security Operation Centre (SOC), which makes security a lot easier to manage in a large company, said Ignus van Zyl, its lead security analyst and chief security officer for Africa Technology.

“There’s definitely a line that has to be drawn based on a company’s size, as well as what the main focus of the business is,” he recommended. “If you’re dealing with a smaller company of 40 or 50 people instead of 40 000 or 50 000, it might be worth outsourcing security, because the amount of money and effort needed to train up, manage and sustain an SOC might outweigh the benefits.”

The larger a company, the more it should consider handling security in-house, because there was more to protect, more to be aware of, and more teams that had to interact with each other, he suggested.

Size doesn’t matter for any company operating in a sector with heavy security requirements, Van Zyl said, because for them it’s important to have an in-house team that’s right there for any issues that arise.

Unfortunately, staff turnover for these skills is high through an element of burnout because each incident must be treated as an actual threat, and that intensity takes its toll.

Bramley Maetsa, head of DevOps engineering at Sasol, agreed that security should be in-house for big corporations. He also agreed that finding the right talent was tough. “We had to augment our internal teams with consultants, but as a huge organisation, we need to own the IP and have control over it,” he said.

City Power uses both in-house and outsourced security experts to protect its ICT environment, said Rachel Seabela, GM of ICT. Traditional ICT security to protect end users and their devices is augmented by security around IoT devices like the cameras in underground tunnels that house City Power’s electric cables. “We have an internal team that provides that first-line support and responds to basic user requirements or questions,” said Seabela. “We also have strategic partners that respond to the more technical issues, as we don’t have the expertise in-house to respond to them.”

Many companies could easily improve their security profile if CIOs were encouraged to graduate to the CEO’s position, suggested Charles Kungwane, chief IT security officer at Motus. CEOs with an accounting background are business driven, but not sufficiently clued-up about the IT side to give it a high priority, he said.

So far, the Land Bank doesn’t have any IoT devices, but information security in general is a big concern for Wilma Nel, its head of IT governance, risk and compliance. One difficulty was getting senior managers to understand the threat landscape and deal with the risks. “We have to guard against the same kind of threats that commercial banks do,” she said. “For me, the biggest headache is that as the bank goes on a digital transformation, IoT will be there, and I’m concerned about how I’m going to secure it when I don’t have the resources.”

For business consultancy EY, security is already embedded within its offerings as well as throughout its landscape. Annalyn Rejji, its technology infrastructure leader and head of its Africa Assurance Digital & Innovation, said one exciting thing she had seen were e-learning platforms, many of them focusing on training in the core skills required around security.

As well as needing to get closer to the board, CIOs should also take a broader look at their jobs as security practitioners, because digitisation had transformed the way they needed to operate, said Haider Pasha, senior director and chief security officer for emerging markets with Palo Alto Networks.

“If your task is to secure an organisation, you’re not just thinking around infrastructure anymore. We have to bring things such as incident response and security awareness into all the other areas of the business,” he said. “We have to think about identity very differently now, and even though we may not be fully in the cloud, we still have to think about how different types of users should be given different types of access, because the traditional defence model doesn’t work anymore,” he said. “We also have to think about zero trust and how to do micro segmentation.”

Pasha told the panellists that he’d had many discussions with clients around the “unteach and teach” model. “You have to ‘unteach’ the board some of the perceptions they have of cybersecurity being a blocker and not a business enabler. You do that by talking around risk, which is critical, because if you cannot quantify the risks to the business and explain how that risk impacts a certain business priority that they have, then there isn’t a lot of value we can bring to the conversation.”